Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jeecg - boot/jeecg - boot/sys/category/loadOne interface field parameters have SQL injection #3663

Closed
Garck3h opened this issue May 2, 2022 · 8 comments
Closed

Jeecg - boot/jeecg - boot/sys/category/loadOne interface field parameters have SQL injection #3663

Garck3h opened this issue May 2, 2022 · 8 comments

Comments

@Garck3h
Copy link

Garck3h commented May 2, 2022
edited
Loading

版本号:

<=3.2

问题描述:

After tests found that the jeecg - boot/jeecg - boot/sys/category/loadOne interface field parameters have SQL injection.

SQL injection exists in an interface that queries the data of the classification dictionary. After using the https://github.com/jeecgboot/jeecg-boot project source code download the launcher, grab packets SQL injection can be performed after modified, and illustrates the use of the sqlmap SQL injection.

The data received by the interface is consistent with the data in the classification dictionary, but it is not the production interface of the classification dictionary. The following two figures:
image
image

截图&代码:

Payload (view MySQL version):/jeecg-boot/sys/category/loadOne?_t=1651480890&field=extractvalue(1,concat(char(126),(version()),md5(1678381038)))&val=f39a06bf9f390ba4a53d11bc4e0018d7

image

Payload (view the current user name and host name of MySQL):/jeecg-boot/sys/category/loadOne?_t=1651480890&field=extractvalue(1,concat(char(126),(user()),md5(1678381038)))&val=f39a06bf9f390ba4a53d11bc4e0018d7

image

Results injected using sqlmap:
image

Getting the database:
image

Here is the risk code:
image

友情提示(为了提高issue处理效率):

  • 未按格式要求发帖,会被直接删掉;
  • 请自己初判问题描述是否清楚,是否方便我们调查处理;
  • 针对问题请说明是Online在线功能(需说明用的主题模板),还是生成的代码功能;
  • 描述过于简单或模糊,导致无法处理的,会被直接删掉;
@zhangdaiscott
Copy link
Member

收录 ty

@tygithub1
Copy link

the menu "classified dictionary", there is no interface that you described to be called, if you want to test this interface /sys/category/loadOne,pls pass plain string instead of expression

@Garck3h
Copy link
Author

Garck3h commented May 6, 2022

菜单“分类字典”,没有您描述要调用的接口,如果您想测试此接口/sys/category/loadOne,请传递纯字符串而不是表达式

Oh, sorry. It may not be in the "classification dictionary" menu bar, but it does exist, it can query the "classification dictionary" data, by changing the value of the "field" attack, as shown in the normal request result:
image

@Garck3h
Copy link
Author

Garck3h commented May 6, 2022

the menu "classified dictionary", there is no interface that you described to be called, if you want to test this interface /sys/category/loadOne,pls pass plain string instead of expression

Hello, I have confirmed that the interface exists. When you perform the following steps, you will find the packet request. Common Cases --> Custom Components --> Tree Dictionary:
image
image

@tygithub1
Copy link

tygithub1 commented May 6, 2022
edited
Loading

i got it , you can try like this:

    @RequestMapping(value = "/loadOne", method = RequestMethod.GET)
 	public Result<SysCategory> loadOne(@RequestParam(name="field") String field,@RequestParam(name="val") String val) {
 		Result<SysCategory> result = new Result<SysCategory>();
 		try {
			//检查字段是不是实体中的
			boolean isClassField = SqlInjectionUtil.isClassField(field, SysCategory.class);
			if (!isClassField) {
				return Result.error("字段无效,请检查!");
			}
	
 			QueryWrapper<SysCategory> query = new QueryWrapper<SysCategory>();
 			query.eq(field, val);
 			List<SysCategory> ls = this.sysCategoryService.list(query);
                        //ignore many code

	/**
	 * 判断给定的字段是不是类中的属性
	 * @param field
	 * @param clazz
	 * @return
	 */
	public static boolean isClassField(String field, Class clazz){
		Field[] fields = clazz.getDeclaredFields();
		for(int i=0;i<fields.length;i++){
			if(fields[i].getName().equalsIgnoreCase(field)){
				return true;
			}
		}
		return false;
	}

@Garck3h
Copy link
Author

Garck3h commented May 7, 2022

i got it , you can try like this:

    @RequestMapping(value = "/loadOne", method = RequestMethod.GET)
 	public Result<SysCategory> loadOne(@RequestParam(name="field") String field,@RequestParam(name="val") String val) {
 		Result<SysCategory> result = new Result<SysCategory>();
 		try {
			//检查字段是不是实体中的
			boolean isClassField = SqlInjectionUtil.isClassField(field, SysCategory.class);
			if (!isClassField) {
				return Result.error("字段无效,请检查!");
			}
	
 			QueryWrapper<SysCategory> query = new QueryWrapper<SysCategory>();
 			query.eq(field, val);
 			List<SysCategory> ls = this.sysCategoryService.list(query);
                        //ignore many code

 /**
  * 判断给定的字段是不是类中的属性
  * @param field
  * @param clazz
  * @return
  */
 public static boolean isClassField(String field, Class clazz){
 	Field[] fields = clazz.getDeclaredFields();
 	for(int i=0;i<fields.length;i++){
 		if(fields[i].getName().equalsIgnoreCase(field)){
 			return true;
 		}
 	}
 	return false;
 }

image
When I give it some malicious statements, I can query the version of the database, database name and other information, and even the whole database data down, so it is very dangerous.Here is a bit of offense to the official website, do the above verification.

@zhangdaiscott
Copy link
Member

已处理

@chuxl2017
Copy link

@zhangdaiscott 请问,对应的commit是哪个?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zhangdaiscott @tygithub1 @chuxl2017 @Garck3h